|
85.
|
|
|
Another possible Samba permission is to declare <emphasis>administrative</emphasis> permissions to a particular shared resource. Users having administrative permissions may read, write, or modify any information contained in the resource where the user has been given explicit administrative permissions.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
../docs/sharing/C/sharing.xml:491(para)
|
|
86.
|
|
|
For example, to give the user <emphasis role="italic">melissa</emphasis> administrative permissions to the <emphasis role="italic">share</emphasis> example, the <filename>/etc/samba/smb.conf</filename> file would be edited to add the following line under the <emphasis>[share]</emphasis> entry:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
docs/sharing/C/sharing.xml:454(para)
|
|
91.
|
|
|
Traditional Linux file permissions do not map well to Windows NT Access Control Lists (ACLs). Fortunately POSIX ACLs are available on <phrase>Kubuntu</phrase> servers providing more fine grained control. For example, to enable ACLs on <filename>/srv</filename> an EXT3 filesystem, edit <filename>/etc/fstab</filename> adding the <emphasis>acl</emphasis> option:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
../docs/sharing/C/sharing.xml:531(para)
|
|
95.
|
|
|
The above example assumes <filename>/srv</filename> on a separate partition. If <filename>/srv</filename>, or wherever the share path is configured, is part of the <filename>/</filename> partition, a reboot may be required.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
../docs/sharing/C/sharing.xml:553(para)
|
|
96.
|
|
|
To match the Samba configuration above, the <emphasis>sysadmin</emphasis> group will be given read, write, and execute permissions to <filename>/srv/samba/share</filename>, the <emphasis>qa</emphasis> group will be given read and execute permissions, and the files will be owned by the username <emphasis>melissa</emphasis>. Enter the following in a terminal:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
../docs/sharing/C/sharing.xml:560(para)
|
|
100.
|
|
|
The <application>setfacl</application> command above gives <emphasis>execute</emphasis> permissions to all files in the <filename>/srv/samba/share</filename> directory, which may or may not be desirable.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
docs/sharing/C/sharing.xml:613(para)
|
|
101.
|
|
|
A Windows client will show that the new file permissions are implemented. See the <application>acl</application> and <application>setfacl</application> man pages for more information on POSIX ACLs.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
../docs/sharing/C/sharing.xml:583(para)
|
|
103.
|
|
|
<phrase>Kubuntu</phrase> comes with the <application>AppArmor</application> security module, which provides mandatory access controls. The default AppArmor profile for Samba will need to be adapted to the proper configuration. For more details on using AppArmor, please refer to the<ulink url="https://help.ubuntu.com/community/AppArmor"> wiki</ulink>
|
|
|
|
(no translation yet)
|
|
|
|
Located in
../docs/sharing/C/sharing.xml:594(para)
|
|
104.
|
|
|
There are default AppArmor profiles for <filename>/usr/sbin/smbd</filename> and <filename>/usr/sbin/nmbd</filename>, the Samba daemon binaries, as part of the <application>apparmor-profiles</application> packages. To install the package, from a terminal prompt, enter:
|
|
|
|
(no translation yet)
|
|
|
|
Located in
../docs/sharing/C/sharing.xml:602(para)
|
|
107.
|
|
|
By default the profiles for <application>smbd</application> and <application>nmbd</application> are in <emphasis>complain</emphasis> mode, allowing Samba to work without modifying the profile, and only logging errors. To place the <application>smbd</application> profile into <emphasis>enforce</emphasis> mode, and have Samba work as expected, the profile will need to be modified to reflect any directories that are shared.
|
|
|
|
(no translation yet)
|
|
|
|
Located in
../docs/sharing/C/sharing.xml:619(para)
|